Stuart Henderson escribió:
You may be recycling port numbers before the state fully expired.
If that's the case you can try reducing the tcp.closed timeout:
"keep state (tcp.closed XX)".
I've changed
pass quick on $bridge inet proto tcp from any to $mynetwork port { 80,
443 } keep state \
(max-src-conn 800, max-src-conn-rate 100/1, \
overload <http_brutes> flush global) allow-opts
to
pass quick on $bridge inet proto tcp from any to $mynetwork port { 80,
443 } keep state \
(tcp.closed 15,max-src-conn 800, max-src-conn-rate 100/1, \
overload <http_brutes> flush global) allow-opts
but I get the same error:
$ tail -f /var/log/messages | grep 217.130.13.161
Sep 22 17:01:27 ares /bsd: pf: BAD state: TCP 217.130.13.161:32798
217.130.13.161:32798 212.36.74.109:443 [lo=971805947 high=971872187
win=96 modulator=0 wscale=7] [lo=2426939406 high=2426951694 win=33120
modulator=0 wscale=1] 4:4 S seq=3055995244 (3055995244) ack=2426939406
len=0 ackskew=0 pkts=16:7 dir=out,fwd
Sep 22 17:01:30 ares /bsd: pf: BAD state: TCP 217.130.13.161:32798
217.130.13.161:32798 212.36.74.109:443 [lo=971805947 high=971872187
win=96 modulator=0 wscale=7] [lo=2426939406 high=2426951694 win=33120
modulator=0 wscale=1] 4:4 S seq=3055995244 (3055995244) ack=2426939406
len=0 ackskew=0 pkts=16:7 dir=out,fwd
Sep 22 17:01:36 ares /bsd: pf: BAD state: TCP 217.130.13.161:32798
217.130.13.161:32798 212.36.74.109:443 [lo=971805947 high=971872187
win=96 modulator=0 wscale=7] [lo=2426939406 high=2426951694 win=33120
modulator=0 wscale=1] 4:4 S seq=3055995244 (3055995244) ack=2426939406
len=0 ackskew=0 pkts=16:7 dir=out,fwd
--
Thanks,
Jordi Espasa Clofent
